All Collections
Compliance & Data Protection
Compliance & Data Protection
Sebastian avatar
Written by Sebastian
Updated over a week ago

Our architecture is built on top of Amazon AWS frameworks to enable best practice protection controls, implemented based on industry standards. We process only the minimum personal data required to provide app functionality to merchants and are compliant with the General Data Protection Regulation (GDPR).

For details on how we handle personal information, please review our Privacy Policy.

Please see below the technical details on how we encrypt and handle data at each stage of our application:


  1. The server-side link tracking script runs on every page load of the merchant store. When it detects a referral link click, it generates a signed HMAC token and injects it into the HTML.

  2. When the client-side link tracking script receives this token, it consults with the Shopify Customer Privacy API on whether we have cookie consent from the user, and if we do, it sets the tracking cookie. If the server-side link tracking script is not installed, the client-side link tracking script can detect a link click and generate a weaker token to use as a cookie.

  3. When the client-side checkout tracking script detects a tracking cookie, it sends checkout information to our backend to track the referral.

  4. Checkout information = order ID and clicker metadata: IP, user agent, click time


Simple Affiliate stores data and backups with the Amazon AWS RDS and S3 services, which are located in the United States.


Data stored in Amazon S3 buckets, encrypted with SSE-S3 - S3 managed encryption keys

  • database backups (retained for two years)

  • checkout logs for link tracking (retained for two years)

  • application logs (retained for two years)

  • server access logs (retained for two years)

  • internal reports created by our employees (retained for two years)

Data stored in Amazon RDS, encrypted with AWS-managed keys:

  • logs of Shopify webhooks and all outgoing emails (retained for two years)

  • production backups (retained for seven days, primary backups are in S3)


The Simple Affiliate user interface runs on the user's computer in a web browser. All communication between this browser application and the Simple Affiliate server occurs over a connection encrypted by TLSv1.2_2021.


Testing and staging environments are logically separated from the Production environment. No production data is used in our development or test environments.


Simple Affiliate's Production Environment uses role-based (RBAC) security architecture requiring users to be authenticated and authorized before accessing any system resources. Resources are protected using industry-standard tools. Access to data is logged to ensure all access is appropriate.


Non-Log Production data are replicated among discrete operating environments to protect the availability of Simple Affiliate's service in the event of catastrophic events. The available Simple Affiliate data archiving service mitigates data loss for customer logs in the event of catastrophic events.


Simple Affiliate has established policies and procedures for responding to potential security incidents. All incidents are managed by Simple Affiliate's Incident Response Team. Simple Affiliate defines the events that must be managed via the incident response process. Incidents are classified by severity. Incident response procedures are tested and updated at least annually.

Did this answer your question?